cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1421
Views
0
Helpful
5
Replies

Not able to run any command thru console (Command authorization failed)

ohforce55
Level 1
Level 1

Hi,

 

I currently upgraded the IOS of the firewall 5540.

Prior to the upgrade, I deleted the aaa commands in case I could get locked once it rebooted.

 

no aaa authentication serial console TACACS+ LOCAL
no aaa authentication enable console TACACS+ LOCAL
no aaa authorization command TACACS+ LOCAL

 

TACACS+ refers to the ACS.

 

After the upgrade, I added the aaa commands back and noticed that I couldn't run any command on console and got this error message

 

enc-wups-ex-vpnasa5540-1/act# sh run

Command authorization failed

 

As I typed any command, I got that error message.

If I removed "aaa authorization command TACACS+ LOCAL" I could run any command on console.

 

 

And, I could run any command thru SSH having those aaa commands.

 

My colleague resolved this issue. He said

 

remove it and logg off console

then add it from ssh

and then login

 

But I'm not sure when he said "remove it and logg off console"

Did he remove it on console? If he did, how could he remove it although he couldn't run any command?

Maybe he used local username?

 

Please help!

 

 

Thank you!

5 Replies 5

Hello,

 

At first glance, your problem looks like to be user privilege on ACS. As per your description you only upgrade the ASA but make sure everything is ok on ACS. Maybe you can delete ASA as client on ACS and add it again. Do the same for your user.

 This can be some syncronization isseu between two platforms after upgrade..

 

-If I helped you somehow, please, rate it as useful.-

Hi,

 

Thanks for your reply.

When I checked the ACS, there was no any issue.

I don't think this is the privilege issue as well because I could run any command before the upgrade with the credential.

Hi  ohforce55,

 

Have you checked the event logs at ACS? that will give you a good idea that why ACS is unauthorizing you to enter any command.

Spooster IT Services Team

Hi  ohforce55,
 
Have you checked the event logs at ACS? that will give you a good idea that why ACS is unauthorizing you to enter any command.

Spooster IT Services Team

Hi,

 

There wasn't even the log for it since I couldn't run any command.

Review Cisco Networking for a $25 gift card